Ready for the new Google Consent Mode v2? Learn more »
Legal

Use Google Tag Manager GDPR compliant – that’s what the legal situation says


Use Google Tag Manager GDPR compliant – What is the legal situation? This article informs you about how the Google Tag Manager works, the legal relationship to the GDPR and viable cookie consent solutions.

Google Tag Manager and cookies – this is how the tool works

The Google Tag Manager serves as a tool for managing and controlling cookies, conversion pixels or tracking codes from programs such as Google Analytics or Bing Ads. The application itself works with tags and triggers and – as is often assumed – forwards the information collected on the website via cookies directly to the appropriate tools for further processing. The codes themselves, which are used on the website for various purposes (advertising, tracking…), are not stored in the source code of the site, but in a special container.

Working with the tag manager is efficient and simplifies the management of tracking and cookies. Even people with little IT experience are able to embed the required code. This also applies to the operation of the tag manager via the simply designed and intuitive web interface, which also requires no expert knowledge. What’s more, just about all the tags and pixels you need are usually available as a template . Users can not only benefit from (almost) obligatory applications such as Google Analytics, but also from Bing Ads, Google Ads or testing tools such as AB Tasty.

Without a tag manager, the individual code snippets would have to be inserted into the website’s source code with a corresponding amount of time. However, appropriate programming knowledge is required for this if the website is to function correctly after the “intervention”.

Banners with consentmanager and Google Tag Manager logos

Google Tag Manager Privacy Policy

The uncomplicated work of the Tag Manager ensures that marketing is largely independent of IT . This not only saves companies time, but also allows valuable IT resources to be allocated elsewhere. The numerous templates for the Google Tag Manager are just as beneficial. The GTM provides templates for programs such as Google Analytics, Google Ads Remarketing, Hotjar or Tradedoubler, which you can add quickly and easily. In detail, you benefit from the following benefits:

  • easy to use via the web interface
  • Preview mode streamlines tag testing
  • numerous templates available
  • various tags, triggers and variables templates
  • integrates seamlessly into the cosmos of Google

Make Google Tag Manager GDPR compliant

The Google Tag Manager has been considered problematic since the annulment of the Privacy Shield Agreement by the European Court of Justice (ECJ) in July 2020 (” Schrems II “). The Privacy Shield Agreement originally provided that European consumers could rely on the same level of data protection when transferring data across the pond as they find in the EU. The problem: Due to the legal situation in the USA, authorities can access the data of US giants such as Microsoft, Google or Amazon via state surveillance law. For the Google Tag Manager and the applications connected to it, this means that the data transfer can theoretically be implemented over a very narrow legal-technical corridor at best. In practice, however: According to Schrems II, applications such as Google Analytics & Co cannot be enforced in a legally compliant manner .

Does that also apply to Google Tag Manager? In principle, it means that the Google Tag Manager itself does not set any cookies and only manages cookies from AdSense or Google Analytics in a container. From the perspective of the GDPR, the problem here is the addendum on data processing (April 12, 2021):

“If you indicated that you are located in the European Economic Area (EEA) when creating your account, you have already accepted the Data Processing Amendment as part of the Terms of Service.”

Google Tag Manager addendum to data processing

However, the data protection regulation requires transparency, while the information on data processing by the search engine giant remains nebulous and vague:

“Our use of Google Tag Manager data
We may collect information such as how the service is used, and how and what tags are deployed. We may use this data to improve, maintain, protect and develop the service as described in our privacy policy, but we will not share this data with any other Google product without your consent.”

Google privacy

Google claims here that it does not link any data to other Google services without consent; however, this in no way precludes disclosure to third parties. It is also unclear whether the collection of data is absolutely necessary or whether it goes beyond mere (technical) necessity.

Due to these uncertainties, the Google Tag Manager should never be run without the user’s consent . All the more so since, to all appearances, the Google Tag Manager itself sets cookies as a control and administration tool, even if common statements point in a different direction. It is claimed that GTM only sends data from a website to the correspondingly connected tools.

According to this reading, the management of cookies, i.e. setting, changing and deleting, only takes place in applications such as Google Analytics. This allows the GTM to work hand in hand with Cookie Consent Managers. Where tags and triggers can be blocked by the website visitor from the outset, non-essential cookies are no longer set. However, the advantage of central control of important marketing tools is gone, since none of the applications are allowed to collect any data at all.

In this context, however, blogs point out that data (IP, browser information, language, …) and possibly cookies are already transferred when the Google Tag Manager is loaded before Google Analytics and Co. are played out. With a view to Schrems II, this situation is questionable, since data is being sent across the pond to the USA, a state that after Schrems II was considered an “unsafe third country” due to numerous data scandals. Another problem is the need to explain all the tools used, including the GTM, in accordance with Article 13 GDPR, since these tools should at least be explained in the data protection declaration.

 

Stay up to date!

Subscribe to Newsletter

Google Tag Manager and the opt-in function

Google Tag Manager proves to be more GDPR-compatible when it comes to opt-in. The background: Since the ECJ ruling on cookie consent of October 1st, 2019, users must actively agree to the use of cookies and either click on the corresponding checkboxes themselves or not. To prevent cookies from being set without active consent, set up the opt-in via Google Tag Manager. This ensures data protection in the Google Tag Manager.

To set up opt-in in Google Tag Manager, create a variable, a trigger, and the TAG. Set the trigger and block analytics after setting the cookie. Finally, implement a predefined HTML link on the imprint or data protection page of the website. If the CMS prevents the link from being implemented, an onload event is required by changing the code of the tag and adjusting the trigger accordingly.

Setting up the opt-in function via Google Tag Manager is relatively uncomplicated due to the easily understandable instructions available online and does not necessarily require in-depth IT knowledge.

Google Tag Manager – GDPR and Cookie Consent Tools

Only if you disregard the problem areas GDPR and Schrems II can you still cite the basic convenience of the Google Tag Manager as an advantage. This results from the simple and uncomplicated integration of cookie consent solutions into the Google application. The cookie consent banner serves as an intermediary between the opt-in options defined in the GTM and the website visitor, who should be free to decide whether to agree to cookies or a selection of them or to reject all cookies.

Accordingly, the data protection regulations result in a division of tasks and cooperation between cookie content solutions and the Google Tag Manager. The Google Tag Manager is sufficient for the default opt-in settings. In order to make the Google Tag Manager DSGVO compliant, cookie consent solutions are indispensable, as they show the site visitor a selection window for consenting or rejecting the cookies. As long as the user does not give their consent, the Google Tag Manager will continue to block the cookies to be set. Only when the site visitor has actively consented to the cookies are the corresponding cookies stored on the user’s end device.

Ist Ihre Webseite konform? Finden Sie es heraus mit unserer Checkliste

Checkliste herunterladen

Cookie consent solutions for security and convenience

The market offers a variety of different solutions to ensure compliance with GDPR as well as ePrivacy directives related to cookies and tracking. There are solutions that basically block all cookies and trackers and only release them as soon as the site visitor agrees. In this case, it would theoretically not be necessary to set up the opt-in in Google Tag Manager.

Other cookie content management solutions offer extensive services by running all Google services in a network under the website interface and generating the selection window for the site visitor. This is how you support cookie consent solutions in making the Google Tag Manager DSGVO compliant. However, due to the current legal situation, the supposed convenience of the Google Tag Manager is turning into mined territory. The only way out would be less convenient: why not use a tag manager that runs locally on your own server instead of using an external one?

The individually adapted solution for every website operator

The consent banner is the selection window that a cookie consent solution presents to the site visitor to allow or reject the storage of cookies. These windows vary in user-friendliness, often adapt to the layout of the website and interact with Google Tag Manager to ensure GDPR compliance. Because the Tag Manager only cancels the opt-in if the site visitor agrees to the storage of the cookies.

The market offers a wide range of powerful cookie consent solutions, also known as consent management providers (CMP). In some cases, you can optimally adapt the solutions to the requirements of your company or your website. This includes the integration of existing analysis tools, the individual design of the opt-in window or the presetting of the cookie selection for the site visitor.

As a company, you have the choice between free and paid solutions. Smaller companies in particular often opt for free solutions as a first step. However, make sure that the selected CMP reliably meets the requirements of the GDPR.

GDPR requirements for consent management providers

The GDPR is not only an issue for the Google Tag Manager, but also for the requirements for the content design of a consent banner. These points were also confirmed by a court judgment of the ECJ and are therefore binding.

  • Recipients of the data must be presented clearly
  • clear presentation of the activity of data processing, marketing, analysis, etc.
  • The site visitor must be able to select or deselect each classification individually
  • no pre-selection of recipients and activities
  • all cookies must be blocked until the user agrees

Other important points that a powerful consent solution must meet and that you should definitely keep in mind before deciding on a product from the provider:

  • Location of storage of the consent – locally on the user device or in a database (important for the ability of the site operator to provide information)
  • What options are there for the user to revoke consent or to check the status of their own consent?
  • Length of the lifespan of the cookies
  • Is there detailed information on the processing of the data?
  • Is the purpose of a cookie clearly recognizable?

Regardless of whether you use a paid or free tool: only opt for the cookie consent solution of a consent management provider that meets these requirements.

Conclusion

Of course: The Google Tag Manager significantly simplifies the integration of common tools, especially for marketing purposes. Nevertheless, the integration has proven to be problematic at the latest with the ECJ judgment of July 2020 referred to as Schrems II. Data gets into the USA through the use of the GTM (and other connected tools) and thus offers targets for lawsuits and fines. Also from the perspective of the GDPR, the Google Tag Manager works anything but GDPR-compliant due to vague statements on the subject of data processing. A legally flawless integration of the GTM is therefore almost impossible. The only perspective currently left is to only load it after consent via a cookie consent provider such as consentmanager as a precaution. However, this does not mean that you are on the safe side.


more comments

EDPB opinion on pay or consent model
Legal, News

The latest decision of the EDPB on “consent or pay” models for online platforms

The Dutch, Norwegian and German (Hamburg) regulators asked the European Data Protection Board (EDPB) for guidance on whether large online platforms can implement ‘consent or pay’ models for behavioural advertising based on valid and freely given consent. This was prompted by Meta’s introduction of a subscription model in October 2023, where users were given the […]
New regulations US 2024
Legal

New US data protection laws come into force in 2024: Update your US-specific privacy settings

In the United States, new data privacy laws will take effect in the second half of 2024 – in Florida, Texas, Oregon and Montana . Companies that operate in these states or have customers in these states will need to review their data privacy practices to ensure compliance with the new data privacy laws. To […]